Skip to content

Configuring PGP Encrypted Facebook Notifications

Facebook isn’t synonymous with privacy by any stretch of the imagination. But for some reason, they decided to add a feature that allows for military grade encryption of email notifications. Facebook accepts any OpenPGP implementation to use the feature. PGP was created by Phil Zimmerman. You can learn more about the creation in my article here.

In short, PGP is a symmetric-key encryption system. The software generates a unique public and private key based on a secret password inputted and some customization on the level of cryptographic strength you prefer during generation.

Once the keys are generated, you can distributed your public key to other individuals. They can encrypt a secret text, file, or email with your public key. Once it is encrypted the only person that decrypt it is you. Once you receive the encrypted file, you can use your secret passphrase and private key to decrypt it for viewing. This is vice versa for any individual you wish to communicate with. Encrypted a file with their public key so it cannot be viewed by taps the internet, network, or possible machine. It is completely safe until it is opened by the receiver.

A feature like this shouldn’t go to waste so its time to implement it. We will need to install some OpenPGP software, create our keys, upload them to Facebook and confirm that everything worked out correctly.

Creating the PGP public and secret key

We need to install GNU Privacy Guard, which is a free and complete implementation of OpenPGP. You can try other routes but GPG is considered an industry standard so it’s better to stick to what most people trust for proper encryption.

Install with your operating system’s package manager.

Windows user’s not familiar with Chocolately, install procedure here.

# windows with Chocolately
choco install gnupg

# Linux 
sudo <apt|apt-get|dnf|pacman> install gnupg2

# OSx with Homebrew
homebrew gnupg

With GNU Privacy Guard installed, time to create your first PGP public and corresponding secret key to start receiving encrypted notifications from Facebook.

To generate your keys, fire off the following GPG command.

gpg --full-generate-key

When you follow the key generation dialog, make sure you:

  • Use RSA\RSA for your encryption algorithm.
  • Make sure your RSA keys are 4096 bits in length
  • Make sure you have a ~52 character password for your secret key.

Once you have generated your keys, export the public key to upload to Facebook.

gpg --armor --output public-key.gpg --export <email>

Open up the file and it should look something like this.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF7yxpUBEACgTff6BmN0Qvv+JF64YpM+l/G5mozkoGAPJ4JviNKGvmbMfeuH
/LDoKGtDDP/keNN/xqf2f7nAsBGG70vnKv53Kv9F87Syg2zcG8ZNyyoAUxPlsAtd
zuLFM7lsSrUjOpyyQ5eSxxCZ+tRrQKvcNUKktB7FvOyxTUDYzEnZi68iJ7EBg6xu
yB+6/I3Nwt7BH15pw+NgFc4sodseiPzX0526ipYXmdOq13WehLHroI68fowNQxcV
tsLcU8q1tS3VtowghQiArH3aCwXO8VjPovYrktNSddmYsFxbO9/j0Z7FAV8KygMb
E697DB+4ME41QwvthrCleIC7QO3Fye3+8fHd0ZNg+rDJBeJjYkPU2aqEa2QZY0sM
ILahzJuh86ZQa3Bto2YUdDEtBjOB2GMBAfqdRX/j6Bikj7PBCczznRWIN3SFpW1Y
8yVHfrncXCp3AnkRuILhKu+3NSw/YjjTz0zxb/ORGdgEPM/2M3hrCneZv/lOMKWB
Hv/jiLbVTJACP+y0caNNFunyTyJ3fP1oWutEOYbQRM6V5vxF4zQSXUP4yz0TFR4A
mBF7SBppEUTUjBge/Q8jt2naFoOwa27/kVTmgOgfqmwNsRFGe7oObZFBH5pbWX6Z
oRyD2fzEplp4F0SpfvABlV61zrLmlrUQUiLEX+gFEVI5ULRqE/16goitXwARAQAB
tClNaWNoYWVsIFJpbmRlcmxlIDxtaWNoYWVsQHNvZmRpZ2l0YWwubmV0PokCVAQT
AQgAPhYhBEKU29dFdQC3Id1ckSQ5A1+nydhMBQJe8saVAhsDBQkB4TOABQsJCAcC
BhUKCQgLAgQWAgMBAh4BAheAAAoJECQ5A1+nydhMLpsP/307AAF5c6Vwi5vT8Nm9
W0bcJQW6V7HV5AoQE0Uyje3Zn6UYX5vNCBZXg2KMKmyfi6g8McUwskwxDfkaB19A
XR7BHxPgICdQxgaNekx/ZU0RuWgHEtmtP9RU39PljsFbst7+zkAbY3PBZk0knWM7
hIiGDuq0p0ETVw41CUY7J3usypRAnbJYcpC8b1S/26FS1QR8hRneo7z0AuLOdFd+
uNV2gvt8/GB8MNY6kzdBq5s7yNWB0ejeK5/IJVFXiHoGQiarfBo6UeB23tKqkDnR
pKuNDITe9ARS1xozUq3NvLLFG74v2mbNRFFjw5i/L0+tQRAdvGzpwtX6hf89gS7Q
wE7kGtl2XjJ9Ovx5u5fc2txzRztBvVqHPYVs9C9S2b25WTAdHzeS99lqObwHOfLc
VYvX6AMjmMre5L3x4a8yrP2FJ2gLGGawwsNJuVnLN2hYsWNP8NMdJsGoMNCn7aCr
qypJ8N92piK5ThdYMfSdPZLDoETNVV47n+/V/+LgZTWu1ONaQcGeiYd/axiKn02Z
gnzmK5KYH/hX+Tvru4VqOgrRyCEvG+eWQGEBQIYuaBT2SafC4e8roFpdCiQPl0u8
uQQuu7MVn1nrTDT8G7mFu4wvIBpP/gjCat1GA7wAWO8CBGCUHmcFb17IWaW74Efe
pg8HNIhyb6+ipTxadoPRjcj7uQINBF7yxpUBEADDD7ICvN30ItmEA73CJiCg2TqG
MibD702kpdGQf7mMzGzEPR7PSxUJYEGnkVeXcX8/paicwxmc3hIYMXAFcX5+az3h
CZ10lqRJvskI8aEFpKcUkN1jm/t108n3+Ky3hqmI2I061jBGMLH3ZdwgSrGlRym5
NzbzTGvqTsAfDp8jHH3lz7mpU+OjFrArbD5xd9aPaOzMbdcWk0v0Ux907stZB4rT
f2TDWM86XaDcqPb0iC+MUtm8GN03GJcvRJwb+2b7JAufzp60IAl8QjjkS15i2oti
B1OWQnf+Mg0HzNMSeL+6dm7p7zxkb1CVNnaDuc4ygc8ZnEqmlP6JUev/mXHeylj3
sNioGma+nFQEyYAe6Yu4qKZPuU8lFjvJt1OX/HB5skax1O3Fn4eXKEkxaaZ4zlPa
j0g1XuwKBRVJFGE9pgCBjkcmrEbjyB/ZRKsX6piMbTb7O4qpteVaUzK/Zm8MSGNr
/TrdmQLdkiE/kDlZKqCuIgrXJsqcCl6by2KegG6rCuuusJK3NTcTQYH1OtenlLPi
UczypBs4QagrThS/+4z34qyKtEFVfWX/2SQ673tESaIL55bIV82HLiPwpwk2KKqW
kg/2CCLfIp9f3sJ9AqtW4s1fe1KiDco4crGr7tK5MrfR9aJhEeCa2LcSp+MZ8qOG
gvEk3qXnKfDtyXuEtwARAQABiQI8BBgBCAAmFiEEQpTb10V1ALch3VyRJDkDX6fJ
2EwFAl7yxpUCGwwFCQHhM4AACgkQJDkDX6fJ2EycthAAi/CTSz6VNnKMo/3XMZPO
IC6jPoX4ldQYmP6/3uyOyfZxrBjx3OXxjKzZm3FtHtlY+DwSaUYdXtH/v7jxRPDt
7sgEAXakg6TvCOVtfVGCtdTRmuHJnBQKZcFhRKdRLwoSz+Q+HN6lm+lmFwstWzl0
jaCUu0qwg71h7kWjYvasYcCxizr3oCdUcDsvJdsMWPesO4UGM/yohehV3P7ir2mD
dU4zI2kX0d3YIeEbRIBEvJY5XDPFgsfhPNtV2q0SAdwtx2Itm+nnLyjx5ODxUgem
YlJmeicbMEmO6ULDqr5GlEpaJgjmTwA/Taj/IxnGbaJMt2kTs6WLAEfWDh+3turW
HkWm6nHvkWs6GGO3DmL4+6rLkFG0dyuRHscFGAZMyAu+rYkHzIoC6IdVZiEqqstc
75jo6aONhBVwOFrmjI/fZcXrgFVD46QszlM6ZSnWQuLKoUsn61IpdZyUQidmsUGY
LyTBQg4HnFrW5oQYMAL9vGkBAjREezopxMYMsyRtdOA4soIlXdS5mqhnlzoCsYf3
XJMlIFieW/J8lG/1WzA6uW1MRS/63ChkT/1MJBV3xMVeG15mDBWhZlXsV+BfGJ14
mDT1wa29wSLzUGRQZhjJ/uYhGQpwajIPsBwKhbatYkzKUn/ntYnWDxNKhso8AN6t
P6cyseNaiJ1Dk5Jj0fsR5zI=
=K4dM
-----END PGP PUBLIC KEY BLOCK-----

Adding the public key to Facebook

Now go to Settings -> Security and Login -> Advanced -> Encrypted notification emails.

Once you reach this page, you can copy and paste your public key into the text box.

Check the box that says “Use this public key to encrypt notification emails that Facebook sends you?” Then save changes.

Decrypting the confirmation email and confirming the process

Once you have save changes from the last steps, you will get a maiden voyage email from Facebook confirming the encrypted notification emails are now working correctly by confirming a link.

We can now download the encrypted.asc attachment from the email and decrypt the notification with GPG. Back to the command line to decrypt the .asc file to see our notification. Output the file as an HTML file so you don’t have to read the HTML code in the notification. A browser renders it just fine. Have your secret passphrase you entered while creating the public and secret key ready as it is used during the decryption process.

gpg --output encrypted.html --decrypt encrypted.asc

Open up the outputted html file that was decrypted in a browser by double clicking on the file. You will get this conformation page for you to verify by clicking on a link they specify.

This link will take you back to Facebook and confirm that encrypted email notifications are working. Note that all account recovery emails will be encrypted as well.

Exporting our OpenPGP keys

Since our account recovery emails are encrypted, it has it’s pros and cons. Theoretically, only us will have the private key to decrypt the notification if our email is compromised. Especially a password change process. A decent defense in depth approach. However, that means losing the keys could lock ourselves out completely. To outweigh the drawbacks we can export our public and secret keys to upload to a cloud server or a USB key to store away in a safe. To export the keys, enter the following commands. You will need your secret passphrase to export the private key so have that accessible.

gpg --output public-pgp.key --armor --export <email>
gpg --output private-pgp.key --armor --export-secret-key <email>

Conclusion

Obviously, this isn’t for everyone. Most people are not going to be bothered in the steps to configure the encryption. This is mostly geared to encryption advocates, or high profile individuals that having a major Facebook compromise would be a huge liability. It’s work highlighting that this feature is here if this level of security is what you need for your environment.

Bonus

If command line encrypting and decrypting isn’t your thing or isn’t scalable with a large amount of Facebook notifications there are some decent plugins you can integrate into your email client.

I have been programming for 7 years with over 10 years of systems administration. This is my blog to write about technology, current events, code, spread awareness, rant and rave and write the wrongs of the past. I am into new technology, programming, archery, turntablism, disc golf and rally racing.

Comments are closed.